Protecting Critical Infrastructures – Risk and Crisis Management


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Protecting Critical Infrastructures – Risk and Crisis Management

  1. 1. Protecting Critical Infrastructures – Risk and Crisis Management A guide for companies and government authorities
  2. 2. Foreword Our society’s existence depends on securing the supply of a wide variety of products, services and func- tions. Protecting vital institutions is therefore a key responsibility of state security. The threat of inter- national terrorism and the increasing number of natural disasters pose a growing challenge for the protection of such critical infrastructures. And information technology, which has pervaded all areas of life and economic activity, brings new vulnerabilities. Because most of the infrastructures which are critical for our society are privately operated, in Germany the government and the private sector work hand in hand to ensure effective protection for these systems and facilities. The security authorities assist the private companies with advising and networking as well as specific recommendations for action. And the private sector contributes its expertise and practical experience to this partnership. This guide to risk and crisis management is one product of such cooperation. The guide is addressed to operators of critical infrastructures and is intended to help them create and expand their own systems of risk and crisis management. Drawing on the general recommendations in the Baseline Security Strategy for the Protection of Critical Infrastructures (Federal Ministry of the Interior, 2005), this guide offers methods for implementing risk and crisis management and practical tools in the form of exam- ples and checklists. When developing this guide, the Federal Ministry of the Interior, the Federal Office of Civil Protection and Disaster Assistance and the Federal Office for Information Security received assistance from experts with practical experience in the private sector. The Federal Ministry of the Inte- rior would therefore like to thank the following for their help throughout the entire process: the employers’ liability insurance association for banks, insurance companies, administrations, liberal professions and special companies, Mr Bernd Marquardt and Mr Hans-Jürgen Penz; Commerzbank AG, Mr Heinz-Peter Geil; the Forschungszentrum Jülich GmbH, Ms Sonja Altstetter; Fraport AG, Mr Friedhelm Jungbluth and Mr Jens Sanner; Gelsenwasser AG, Mr Uwe Marquardt; Infraprotect GmbH, Mr Wolfgang Czerni; Trauboth Risk Management GmbH, Mr Frank Tesch; VERISMO GmbH, Dr Klaus Bockslaff; and their employees. The following partners also deserve thanks for contributing advice and suggestions: EnBW Regional AG, the German Insurance Association (reg’d. society) and the Arbeitsgemeinschaft für Sicherheit der Wirtschaft e. V. Following the CIP Implementation Plan adopted by the Federal Cabinet in summer 2007 as part of the National Plan for Information Infrastructure Protection, this guide to risk and crisis management is a further contribution by the Federal Ministry of the Interior to strengthen the protec- tion of critical infrastructures. At the same time, it underscores the importance of constructive coopera- tion between government and the private sector in this key area of internal security. Berlin, January 2008 Forschungszentrum Jülich in der Helmholtz-Gemeinschaft 1
  3. 3. Table of Contents Foreword 1 Summary 7 1. Introduction 9 2. Basic information about critical infrastructures 10 2.1 Sectors 10 2.2 Critical infrastructures: Framework conditions and characteristics 10 2.2.1 Changes in the threat situation 10 2.2.2 Socio-economic framework conditions 11 2.2.3 Special characteristics of critical infrastructures 11 2.3 Legal requirements concerning risk and crisis management 12 3. Risk and crisis management to protect critical infrastructures 14 3.1 Phase 1: Preliminary planning 15 3.1.1 Establishing risk and crisis management 15 3.1.2 Division of responsibilities 15 3.1.3 Resources 15 3.1.4 Clarifying legal obligations 15 3.1.5 Strategic protection aims 15 3.1.6 Risk communications 16 3.2 Phase 2: Risk analysis 16 3.2.1 Criticality analysis 17 3.2.2 Risk identification 18 Threat analysis and scenario development 18 Vulnerability analysis 19 Risk calculation 20 Comparing and evaluating risks 20
  4. 4. 3.3 Phase 3: Preventive measures and strategies 21 3.3.1 Risk reduction 21 3.3.2 Risk avoidance 21 3.3.3 Risk shifting 22 3.3.4 Acceptance of risks (residual risks) 22 3.3.5 Property insurers’ experience with damages 22 3.4 Phase 4: Crisis management 22 3.4.1 The structure of crisis management 24 The crisis management plan 24 Special crisis structures 25 Crisis task force 25 Crisis task force leadership 26 Crisis task force team 26 Expert advisers in the task force 26 Procedures 26 Reporting channels and alerts 26 Crisis communications 29 Crisis management centre 30 3.4.2 Crisis management 30 Information gathering and review 31 Situation assessment, decision-making and implementation of measures 32 Monitoring 32 Ensuring continuity of operations 32 Return to normal operations 32 Documentation of crisis management operations 32 3.4.3 Follow-up 33 3.4.4 Exercises 33 3.5 Phase 5: Evaluating risk and crisis management 34 Annex I. References 36 II. Terminology 38
  5. 5. III. List of threats – Information on types, exposure, intensity, impacts and points of contact 42 IV. Checklists 45 IV.1 Preventive measures 46 IV.1.1 Risk and crisis management – general 46 IV.1.2 Grounds, buildings, facilities – floods 47 IV.1.3 Grounds, buildings, facilities – earthquakes 48 IV.1.4 Grounds, buildings – storms 49 IV.1.5 Grounds, buildings – wilful criminal and /or terrorist acts 49 IV.1.6 Facilities and equipment – power supply 51 IV.1.7 Facilities and equipment – information technology 53 IV.1.8 Facilities and equipment – communications technology 54 IV.2 Crisis management review 55 IV.2.1 General organization 55 IV.2.2 Staff – general 59 IV.2.3 Crisis management – pandemic planning (especially influenza pandemic) 60 IV.3 Crisis management 62 IV.3.1 General procedures during crisis 62 IV.3.2 Special emergency procedures 64 IV.4 Follow-up 68 IV.5 Exercises 69 IV.6 Selecting and equipping a crisis management centre 70 V. Risk analysis example 74 V.1 Criticality analysis 74 V.2 Threat analysis and scenario development 75 V.3 Vulnerability analysis 76 V.4 Risk calculation 77 V.5 Risk comparison 80
  6. 6. 6
  7. 7. Summary This guide offers a management strategy to help operators Phase 1 – Planning in the organization of critical infrastructures, i.e. companies and government Thorough planning creates the necessary conditions for suc- authorities, identify risks, implement preventive measures cessfully implementing all or part of this guide. and deal with crises effectively and efficiently. Critical infra- structures are understood here as organizations and institu- Before implementing the guide, fundamental issues need tions of central importance for the country and its people to be clarified, including how risk and crisis management is whose failure or functional impairment would lead to severe anchored in the organization, the definition of responsibili- supply bottlenecks, significant disruption of public security ties for implementation, availability of resources, clarification or other dramatic consequences. of legal obligations to establish risk and crisis management, and the definition of strategic protection aims to be achieved Recent history has shown that infrastructures can indeed be in the company or government authority. damaged and that disruption of critical processes can have far-reaching social and economic impacts. Phase 2 – Risk analysis A risk analysis provides a structured overview of an organiza- Serious damage may be caused by tion’s individual processes, possible threats to these processes and the vulnerability inherent in these processes. Combining natural events, this information yields a risk analysis for all critical processes technical failure or human error, in individual scenarios. intentional acts of a terrorist or other criminal nature and war. The information on risks can be compared, to provide an easy-to-understand picture of risks in which risk priorities can Operators of critical infrastructures need to be aware of these be identified. causes and prepare for them. This means identifying and reducing risks as far in advance as possible and preparing for The results of the risk analysis can be evaluated by checking unavoidable crises as much as possible. Doing so helps ensure them against the strategic protection aims already set. If it is survival in the event of a crisis, thereby helping companies not possible to achieve most of the strategic protection aims, add value and comply with legal requirements and helping then concrete measures must be taken to reduce existing government authorities fulfil their mission of providing vital risks and make it easier to deal with crises. services. The strategy for risk and crisis management presented in this guide consists of five phases: planning to set up a system of risk and crisis management, describing the basic aspects of risk analysis, implementing preventive measures, portray- ing aspects of robust crisis management and evaluating the system of risk and crisis management in an organization. The term “organization” refers here to companies or government authorities which operate critical infrastructures as defined above. 7
  8. 8. Phase 3 – Preventive measures and strategies Phase 5 – Evaluation of risk and crisis management Preventive measures help reduce risks to processes and thus Evaluation covers all phases of risk and crisis management, to the provision of products and services. They make organi- from the measures identified during planning to checking zations more crisis-resistant, helping to reduce the number that risk profiles are current and preventive measures and and intensity of crisis events. Preventive measures are aimed crisis management are effective. Such evaluation should be at actively protecting components within organizations or undertaken regularly. creating redundancies. Additional evaluations may be necessary Other possibilities include avoiding, shifting or consciously accepting risks. Here, one should be aware that risk avoid- after measures are implemented, ance usually entails a certain lack of flexibility for the com- after the organization is expanded or restructured, and pany or government authority. Shifting risk does not reduce if the threat situation changes. physical risks, but only ensures financial compensation, although this may be significantly less than actual damage The annex to this guide contains an example for carrying out caused in individual cases. a risk analysis and checklists for measures implemented in the organization. Phase 4 – Crisis management If a company or government authority experiences serious Contact: damage despite preventive measures, crisis management Bundesamt für Bevölkerungsschutz und Katastrophenhilfe should provide for special structures to deal with the situa- Abteilung II tion. Notfallvorsorge, Kritische Infrastrukturen Provinzialstraße 93 Crisis management includes special structures and proce- 53127 Bonn, Germany dures which differ from those for regular operations. During a crisis, decision-making authority is centralized in order to be able to react to situations without delay, containing the impact of a crisis and reducing the time needed to restore normal operations. 8
  9. 9. 1 depend on their unlimited availability. Introduction Infrastructures are an essential part of our highly developed society. In our daily lives, we all rely on infrastructures and Since 1997, the federal government has focused on protecting what are known as critical infrastructures in order to analyse the need for additional protective measures. Critical infra- structures are understood as “organizations and institutions of central importance for the country and its people whose failure or functional impairment would lead to severe supply The financial and personnel resources available to opera- tors to protect their infrastructure systems are limited, so it is especially important to use these resources efficiently and effectively. To do so, it is essential to be aware of the threats and risks and of the possibility to compare and assess risks in order to set priorities. This then provides the groundwork for implementing targeted protection measures. This guide, “Critical Infrastructure Protection: Risk and Crisis Management” is the product of collaboration among private bottlenecks, significant disruption of public security or other industry, government authorities and a research institute. dramatic consequences.”1 The guide applies to all sectors and is intended for companies and government authorities as a tool for self-analysis. Their constant availability is threatened by natural events, technical failure or human error and intentional acts of a ter- It brings together information on the theory behind risk and rorist or other criminal nature. An armed conflict in Germany crisis management with practical checklists and an exam- would also result in enormous damage to infrastructures. ple of risk analysis with the aim of enabling companies and government authorities to set up or expand an effective and The threat situation has changed constantly over the past efficient system of risk and crisis management on their own years. There are indications that the threat of natural disas- or with external help. ters as well as threats posed by terrorist or criminal activity are on the rise, creating new challenges for society. From the federal perspective, the overarching goal is to reduce the impact of extreme incidents on critical infrastruc- Like the threat situation, the vulnerability of infrastructures tures and to be better able to handle anticipated crises. is also changing. Most infrastructure systems today are linked in some way. Disruptions in one area can multiply in other locations, branches or sectors, with an impact that extends far beyond the original area of damage. 1 As defined by the Working Group on Infrastructure Protection (AK KRITIS) at the Federal Ministry of the Interior on 17 November 2003. 9
  10. 10. 2 2.1 Sectors Basic information energy (electricity, oil, natural gas) water and food supply, health care, emergency medical services information and communications technology transport about critical infrastructures Critical infrastructures as defined in the Introduction are mainly found in the following sectors: 2.2.1 Changes in the threat situation Disruptions to critical processes of infrastructure systems can have far-reaching social and economic consequences. Although the following examples do not clearly indicate a trend towards a more critical threat situation, they do confirm the need for ongoing protection of critical infrastructures. Example: Extreme weather Extreme weather can have a direct impact on infrastructure hazardous materials (chemical industry and systems. It is still too early to reliably predict changes in biological substances) extreme weather events in Germany due to global climate banking and finance change, as there is not yet enough information on atmo- government authorities, public administration and spheric warming and its effects on Germany. However, some the judicial system trends, such as an increase in heavy precipitation, have shown media, major research institutes and cultural assets up in weather data. Flooding on the rivers Oder in 1997 and Elbe in 2002 and around the Alps in 2005 follows this pattern.2 2.2 Critical infrastructures: Framework Example: Public health threats (influenza pandemic) conditions and characteristics In the 20th century, there were several major outbreaks of influenza, including the Spanish flu pandemic in 1918 which In recent years, disruptions of critical infrastructures have killed more than 50 million people world-wide. Today, repeatedly been characterized by two features: experts agree that it is only a matter of time until a new and highly dangerous virus evolves from mutations. An influenza 1. Widespread impact on infrastructures caused in particular pandemic would also spread throughout Germany via the by natural threats, with regional, national or Europe-wide country’s international transport hubs. The effects would impacts (e. g. flooding of the River Elbe in 2002, winter storm threaten all areas of life, including the entire private sector Kyrill in 2007). and government agencies. Not only can a pandemic affect demand for products and services, it can also threaten the 2. Local disruptions or damage have impacts which in some entire economic and social infrastructure. The availability cases extend far beyond the original area of damage due to of many resources and services could be limited or cut off networks and connections across regions and between systems entirely. Due to mutual dependencies, this can lead to a dom- (e. g. shutdown of a power line across the River Ems in 2006 ino effect shutting down much of the government, economy which led to blackouts in parts of Europe). and society.3 Models calculated for Germany figure an infec- tion rate of 15–50 percent.4 In addition to employees who are In the following, the central elements of changed and chang- unable to work because they are ill, others would stay home ing framework conditions and characteristics are analysed, to care for sick family members or out of fear of infection, providing the basis for developing a system of risk and crisis significantly increasing the absentee rate. management using this guide. 2 Rahmstorf et al., 2006, p. 70. 3 Federal Office for Civil Protection and Disaster Assistance, 2007. 4 Robert Koch Institut 2007b, p. 4. 10
  11. 11. BASIC INFORMATION ABOUT CRITICAL INFRASTRUCTURES Example: International terrorism Demographic change International terrorism is characterized by loosely structured Changes in the age structure of society and migration-related networks. Individual cells are connected by little more than changes to population density within Germany create new common aims; they operate largely independent of each demands on critical infrastructures, in some cases with other and without a central command structure. Such loose ramifications for security. For example, decreasing water networks are able to act quickly and flexibly without being consumption and the resulting reduced flow of water to end detected.5 In 2006, attempts to set off bombs on two regional users can create hygiene problems in water supply systems. trains failed for technical reasons; in 2007, the authorities were able to prevent planned attacks against a number of US Changed economic framework conditions 7 installations in Germany. Changes in market activity, such as those caused by market liberalization and privatization of state-owned infrastructure Example: Information technology operators, can affect the level of security and investment The news media report almost daily on hacker attacks or in security measures. Competition and the pressure to cut industrial or economic espionage. Even apart from such costs create conditions in which security precautions such threats, however, hard- and software failures and simple as back-up systems and other buffers are reduced. Although human error can lead to significant impacts and damage operators largely comply with regulatory requirements, to critical infrastructures. One example is the large-scale increasingly precise calculations allow them to take greater power outages in the US and Canada in 2003 largely due to advantage of room for discretion and to reduce security buff- problems with one electricity provider’s transmission system. ers, which are then missing especially in crisis situations. Another example is the collapse of the entire EC debit card system in Switzerland in 2000 resulting from an error in one computing centre. 2.2.3 Special characteristics of critical infrastructures Networks within sectors 2.2.2 Socio-economic framework conditions Infrastructure services are provided over large areas via phys- ical, virtual or logical networks. These networks are growing Growing dependence in size and complexity. Intersections within these networks Private industry and government agencies increasingly represent possible areas of vulnerability, where disruption depend on external providers of goods and services. One can lead to regional, interregional, national or even global such service, the supply of electricity, is extremely important. outages or failures. Information and communications tech- Almost every single service depends directly or indirectly on nology and the supply of electricity, water and natural gas in the reliable supply of electricity. particular rely on networks of this kind. Subjective perceptions of risk Links between sectors (interdependence) Government and private industry invest a great deal of Infrastructure systems are characterized by a high degree money in security and count on this investment being effec- of interconnection. Thanks to the rapid spread of informa- tive. However, the positive effects of security measures are tion technology, this development has gained momentum often not measurable in objective terms. Instead, companies over the past 15 years. In addition to making supply pro- or government authorities regard long periods without crises cesses more efficient, such interconnection also creates as confirming the effectiveness of measures taken, which can interdependencies which in many cases can be measured lead them to overlook potential threats and vulnerable areas. only in qualitative terms. Many physical, virtual and logical dependencies are not apparent until a crisis occurs and the And in practice, the risks identified are often those which connection breaks down. The high level of interdependence appear to be manageable or controllable and part of an can lead to cascading shut-downs.8 At the same time, smaller obvious chain of cause and effect.6 Other risks are ignored, and smaller disruptions are enough to cause dramatic conse- consciously or unconsciously, and their possible impacts not quences in complex systems (vulnerability paradox).9 taken into account when implementing preventive measures. 7 Cf. International Risk Governance Council 2006, pp. 11–17. 5 8 Cf. Lewis 2006, p. 1. Cf. Lewis 2006, p. 57. 6 9 Dost 2006. Rosenthal 1992, p. 74 f. 11
  12. 12. Figure 1 “Interdependencies of selected critical infrastruc- 2.3 Legal requirements concerning risk and tures” shows the interdependencies between selected critical crisis management infrastructures. Here, only direct dependencies between indi- vidual sectors or branches are initially taken into account. Public limited companies and limited liability companies (GmbH) are currently subject to overarching legal require- Changed technological framework conditions ments for controlling risk and crises. The financial sector Technology, especially information technology, is developing also has regulations which are obligatory in practice, such at a rapid pace. Often, new developments can be introduced as minimum requirements for risk management (MaRisk). only in certain areas, leaving old components and procedures According to these regulations, the concept of enterprise in place alongside new ones. New hard- and software that security includes protecting persons and material goods such has been introduced without sufficient testing or with errors; as buildings and facilities, maintaining operations through incompatible systems; inadequately planned migrations to any kind of disruption up to a crisis, whether a stock market new hard- or software platforms; and staff not properly trained crisis, natural disaster or terrorist attack. to use the new components can all lead to security gaps and areas of weakness which could, under certain circumstances, The Trading (Control and Transparency) Act (KonTraG) adds to cause the entire system to fail. the Stock Corporation Act the obligation to set up a monitor- ing system for the purpose of enterprise risk management. Types of damage The regulation refers only to public limited companies, but in Critical infrastructures are subject to many different types of practice applies also to partnerships limited by shares (KGaA) damage, from actual physical harm or damage to persons or and large limited liability companies (GmbH), in particular property, to financial losses, psychic harm and anxiety, to the those with codetermined or optional supervisory boards. public’s loss of faith in the political leadership. Figure 1: Interdependencies of selected critical infrastructures 12
  13. 13. BASIC INFORMATION ABOUT CRITICAL INFRASTRUCTURES Market risks are often dealt with in the context of the Trading Not only the Trading (Control and Transparency) Act, but also (Control and Transparency) Act. By contrast, security risks10 the harmonized European insurance law Solvency II requires and risks from events of nature are often underestimated, risk management for enterprises which takes into account all although the Act covers all risks that could threaten an enter- risks which may confront insurers. By including possible risks prise’s existence. Section 91 (2) of the Stock Corporation Act in the terms of insurance, the insurer can make the provision (AktG), for example, obliges the management boards and of insurance protection conditional on preventive measures auditors of annual accounts of public limited companies taken and thus implicitly on a system of risk management. “to take appropriate measures, in particular to set up moni- Under Section 6 (1) of the Act on Insurance Contracts (VVG), toring systems, in order to identify at an early juncture devel- failure to fulfil the terms of insurance leads to loss of cover. opments which threaten the company’s existence.” However, the law does not indicate any method to serve as a standard. In the same way, the Basel II Capital Accord, which is intend- Thus the specific measures are left up to the individual enter- ed to minimize the effects of bank failures, explicitly requires prises. The internal monitoring system should be designed that banks’ operational risks be taken into account along with to identify threatening developments early enough so that market and credit risks. Even though Basel II only deals with appropriate measures can be taken to safeguard the com- risks to financial institutions, it is possible that banks will in pany’s existence. turn require enterprises to account for their risks, thereby making lending conditional on risk management. If the sys- Thus the company’s management has a legal obligation to tem of risk management sufficiently considers and accounts implement an effective system of risk management. If it fails for all risks, this can result in more favourable lending terms, to do so, the auditor may refuse to certify the company’s as it reduces the bank’s risk of failure. annual accounts. The auditor is thus responsible for checking whether the board has provided for appropriate risk man- agement (Section 317 (4) Commercial Code). This includes an assessment of threats, evaluations of any interruptions of operations, implementation of systematic measures to avoid such interruptions, and a regularly updated emergency plan.11 Setting up a monitoring system is one of a board’s gen- eral obligations under Section 76 (1) of the Stock Corporation Act. In case of damage, the board can be held liable under Section 93 (2) of the Act if the board has violated its duty to take due care. 10 See: Federal Ministry of the Interior 2005. 11 Cf. Bockslaff 1999, p. 109. 13
  14. 14. 3 Risk and crisis management to protect critical infrastructures The strategy for risk and crisis management presented in this guide constitutes a systematic process and consists of five phases representing the necessary scope of process-based risk and crisis management in a private enterprise or a govern- ment authority. The five phases are as follows: 1. preliminary planning to establish a system of risk and crisis manage- ment; 2. risk analysis; 3. specification of preventive measures; 4. implementation of a system of crisis management; and 5. regular evaluation of phases 1 through 4. The figure 2 “The five phases of risk and crisis management” illustrates this As described here, risk and crisis management is based on a general “plan – do – check – act” (PDCA) management cycle. This allows it to be incorporated into existing management structures such as quality management, existing risk and cri- sis management, or process management. The term “organi- zation” refers here to private enterprises or government authorities which operate critical infrastructures as defined above. strategy and shows the process in the form of a chart. Figure 2: The five phases of risk and Figure 3: The process of risk and crisis crisis management12 management based on PDCA13 12 Cf. Australian/New Zealand Standard 2004, p. 13; Trauboth 2002, p. 23. 13 Cf. Gesellschaft für Anlagen- und Reaktionssicherheit 2007, p. 21. 14
  15. 15. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES 3.1 Phase 1: Preliminary planning 3.1.3 Resources Thorough preliminary planning creates the necessary condi- The needs arising from establishing risk and crisis manage- tions for successfully establishing risk and crisis management ment are estimated in advance. If necessary, an interdisciplin- in a private enterprise or a government authority. ary task force made up of organization staff can be set up to provide support to the project leader and take over individual Before applying this guide, fundamental issues need to be tasks. It helps if these staff have a detailed understanding clarified, in particular how the organization’s leadership of the organization’s structure. All the main divisions of the establishes risk and crisis management; acceptance of the organization should be represented on the task force. process; definition of responsibilities; availability of resources and definition of strategic protection aims. If the necessary expertise in risk and crisis management is lacking within the organization, staff may be given additional training or outside specialists may be hired. 3.1.1 Establishing risk and crisis management The resources needed to apply risk and crisis management Creating or expanding a system of risk and crisis manage- within the organization will be identified during the course of ment is initiated by the organization leadership, which the project. also clarifies the goals it intends to pursue. The system is implemented and applied at the working level, and staff are involved in the process. 3.1.4 Clarifying legal obligations Creating risk awareness throughout the entire organiza- Preliminary planning includes clarifying legal obligations to tion by means of consistent and transparent risk policy must establish a system of risk and crisis management. receive special attention, because the quality of risk manage- ment depends on staff acceptance and motivation. 3.1.5 Strategic protection aims 3.1.2 Division of responsibilities When establishing risk and crisis management, strategic pro- tection aims need to be formulated to define what the system The process of establishing risk and crisis management of risk and crisis management is intended to achieve. should be led by someone with expertise in this field, who is also responsible for overseeing the substantive aspects of the Protection aims are heavily influenced by ethical, opera- project. The project leader should consult with the head of tional, technical, financial, legal, social and environmental the organization as needed. It is advisable to assign this task aspects.14 15 They display the following characteristics: to the manager responsible for this area in the enterprise or government authority. they describe the status quo, they create room to implement various measures, and The head of the organization is responsible for making basic they are specific, measurable, accepted, realistic and decisions arising from the creation or expansion of risk and time-dependent (SMART). crisis management. This applies in particular to approval of financial and staff resources. Examples: It is difficult to know ahead of time which tasks will need to be best possible protection of staff and assigned in the course of implementing risk and crisis man- others on site (e. g. clients), agement. These can be specified during implementation. maintenance of the organization’s functionality even in extreme situations, compliance with legal requirements, prevention of major economic damage, and prevention of possible damage to the organization’s image. 14 Examples: human life, social relevance of the product or service pro- vided, size of the facility, financial resources, guidelines, regulations. 15 Australian/New Zealand Standard 2004, p. 15. 15
  16. 16. 3.1.6 Risk communications 3.2 Phase 2: Risk analysis In general, risk communications refer to “all communication A risk analysis structures and objectifies the information processes related to identifying, analysing, assessing and gathered on threats and risks in private enterprises and gov- managing risks and the necessary interactions between those ernment authorities. In this guide, risks refer to processes and 16 involved.” Risk communications provide the platform for their individual components. Risk analysis studies different risk awareness and risk acceptance in private enterprises and processes and their components and compares their different government authorities. Both aspects are essential for suc- risks for the organization. This comparison makes it possible cessful risk management. In the present context, it is useful to to determine the urgency and priority of measures that can distinguish between an organization’s internal and external have a significant influence on risk. In this way, risk analysis risk communications. provides the basis for managing limited financial and person- nel resources effectively and efficiently. Internal risk communications refer to all communicative interaction concerning risk within an organization: from As understood in this guide, risk analysis should answer the establishing the system of risk management to evaluating it. following questions: Risk communications should be given special attention dur- ing the process of establishing a system of risk management. What kind of threats may arise? It is crucial to discuss the subject and aims of risk manage- How likely are these threats to arise where the ment at an early stage with those who will be responsible for organization is located? it. Successful internal risk communications are the prerequi- Which areas would be vulnerable in case of threat? site for successful external risk communication. These questions show that the analysis of risks inherent in External risk communications are not aimed merely at processes or their components addresses information about informing and instructing the media and those affected; threats and about the vulnerability of processes and their rather, they seek a dialogue tailored to a specific audience. components. Here one must always remember to communicate risk- related topics in such a way that no misunderstandings can This guide deals with operational processes, i.e. core and sup- arise between sender and receiver. For example, empirical porting processes, which will not be treated separately in the research has demonstrated differences in the way experts and following and thus are referred to as processes or sub-process- ordinary persons perceive risk. In order to avoid unaccept- es; in this guide, sub-processes are understood as individual able results, risk communications should always be timely, segments of processes. unambiguous, audience-appropriate, consistent and reliable. For risk communications to be effective, the audience must The risk analysis starts by dividing the organization into pro- trust the source and find it credible.17 cesses and sub-processes. The organization itself decides the degree to which sub-processes are further subdivided; for example, if a control room is identified as part of a process, it can be defined as a sub-process. It is also possible to divide the control room itself into further sub-processes. The more lev- els of sub-processes there are, the more effort a risk analysis will require; however, it will also have greater informational value.18 16 Jungermann et al., 1991, p. 5. 17 18 For more information on detailed planning of risk communication, For more information on processes and their representation, see Wiedemann et al. 2000 and Gray et al. 2000. see Gesellschaft für Anlagen- und Reaktorsicherheit 2007. 16
  17. 17. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES Figure 4: Process, sub-processes, risk elements Facilities and equipment: Facilities and equipment of sub-processes can be found in all areas of an organization, particularly in the following: • electricity supply, • natural gas supply, • district heating, • water supply, • information technology (IT), • communications technology (CT) and • transport (including vehicles and fuel supply). Special, organization-specific facilities and equipment: This includes all specialized facilities and equipment.19 IMPORTANT NOTE: Identifying the relevant organization-specific risk elements Figure 4 “Process, sub-processes, risk elements” provides a is one of the most important prerequisites for a successful schematic representation of a process, its sub-processes and risk analysis, since critical processes are often directly their division into further sub-processes and their compo- dependent on organization-specific facilities and equipment. nents. Components of sub-processes are those elements that con- tribute to the function of a process. These elements are called “risk elements” in this guide. They are individual physical or Data and files: virtual elements which may be harmed or damaged, with an These include all information kept in electronic and paper impact on the sub-process in question. This guide covers the form needed to maintain sub-processes in the organiza- following risk elements: tion. People (staff and others on the premises): Other resources: It is essential to protect everyone on the premises suf- As referred to in this guide, this covers all other means of ficiently against threats or to take them to safety in case production not already mentioned. of imminent threat. To do so, all organizations must take precautions to provide the best possible protection for those on site, especially before police, fire and emergency 3.2.1 Criticality analysis service personnel arrive in the event of an emergency and after they leave. A criticality analysis allows an organization to identify which processes out of all those listed would have far-reaching Staff, in particular specialized staff, are risk elements in consequences for the organization if disrupted. Appropriate the sense of retaining functionality of sub-processes. measures must be taken to protect such critical processes sufficiently. The identification of risks and, above all, the Grounds: preventive measures chosen to reduce risk should initially This includes all outdoor areas, including roads, storage concentrate on risk elements of the sub-processes of critical and parking areas, green spaces and areas essential to processes. operations. Buildings: These include all structures above and below ground, such as production halls, warehouses and administrative build- ings as well as parking garages. 19 Examples: Control components, software, medical equipment, spe- cial heating and ventilation systems, secure entry systems, storage tanks, aircraft. 17
  18. 18. The following criteria may be used to identify critical 3.2.2 Risk identification processes:20 An organization’s risks are determined by the threats arising Life and health: at its location(s) which may impact on its risk elements and If the process is disrupted, what will be the impacts on by the vulnerability of these risk elements. Combining the human life and health? relevant information on threats and vulnerability results in identifying the risk to the risk elements in question and, when Time frame: aggregated, to the sub-processes in question. In this guide, If the process is disrupted, how long will it take to have an risks to the risk elements are called sub-risks; aggregated risks impact on the organization’s overall product/service? The to the sub-processes are called overall risks. The aspects of risk shorter the time, the more critical the process. identification are described in detail in the following sections. Magnitude: Threat analysis and scenario development How much of the overall product/service will be affected if Recognizing and documenting all relevant threats is crucial this process is interrupted or completely stopped? to a successful risk analysis. The first step in analysing threats and developing scenarios should therefore be drawing up a list Contractual, regulatory or legal relevance: of threats that may arise at the organization’s location(s). This If the process is disrupted, what contractual, regulatory or comprehensive list should describe the general nature of these legal consequences will this have for the organization? threats, their intensity, duration and possible effects.21 Economic damage: On the basis of a site-specific list of threats, it is possible to If the process is disrupted, what is the estimated financial develop scenarios containing additional information needed damage to the organization? for risk analysis and crisis management. These scenarios should represent realistic incidents that could result in crises. The organization should decide which criteria to use, how The staff member in charge of risk and crisis management many criteria should apply at once and what classification should determine the number of scenarios to be included in to use within the criteria. the risk analysis. The aim is to cover all possible threats. The criticality analysis results in identifying all critical pro- The following additional information is gathered for each cesses in an organization and portraying the sub-processes scenario: at work in them as well as their risk elements. Anticipated exposure: Which sub-processes and risk elements could be affected? IMPORTANT NOTE: Whether a process, sub-process or risk element is affected depends on its exposure. Both large-scale exposure and local effects may lead to shutdowns, depending on whether sub-processes and risk elements are affected and to what extent. 20 The Business Continuity Institute 2005, p. 26. 21 Annex III provides an overview of possible threats and their char- acteristics as well as further points of contact for analysing these threats. The list of threats in the Annex is limited to natural disasters, technical failure, human error, wilful acts and war. It is not meant to be exhaustive; practitioners should add further types of threats as relevant. In particular, this guide does not cover threats which arise gradually and can lead to financial, market or strategic risks. 18
  19. 19. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES Anticipated intensity: The selected scenarios should be checked, updated and How strong will the threat impact be on a sub-process added to on a regular basis. Further relevant scenarios can be and its risk elements? added as needed in order to identify all possible risks to the organization. Anticipated duration: How long could the incident last? Vulnerability analysis Along with possible threats, the vulnerability of sub-processes Advance warning: and risk elements is decisive in determining how the organi- How much time can be expected between the advance zation is affected and what damage occurs. The more vul- warning and the incident? nerable individual sub-processes and risk elements are, the greater the impact of threats on the organization’s product Secondary effects: or services. What effects will arise from process dependencies? What psychological effects could the incident produce? A catalogue of criteria is used to identify the vulnerability of What kind of public or media impact could the incident sub-processes and individual risk elements. Using the cata- have? logue of criteria, the vulnerability of each risk element in a sub-process is estimated. This can also be done using a clas- Reference incidents: sification system.23 Which comparable incidents could be examined for further information? Organizations can use the following list of criteria to create or add to their own catalogue of criteria. Likelihood of occurrence: What chance of the incident occurring can be estimated Dependence on risk elements: or identified? If a sub-process depends on a risk element in order to perform its tasks, the potential unavailability or alteration Often, the likelihood of a scenario with a pre-determined of this risk element makes the sub-process vulnerable. In intensity, geographical scale and duration, advance warning the risk analysis, this criterion can be viewed as a way to and secondary effects can only be estimated. For example, weight the importance of the risk element for the sub- historical records useful for calculating the probability of an process.24 incident have been kept only for certain natural events or fail- ures of man-made structures. When developing scenarios, it Dependence on external infrastructures: is advisable to estimate the probability of occurrence using a If a risk element depends on an external infrastructure in classification system.22 order to perform its tasks, the potential unavailability or alteration of this infrastructure makes the risk element vulnerable. IMPORTANT NOTE – DEPENDENCIES AND SCOPE OF SCENARIO: Extreme incidents typically have a broad range of impacts. For example, a power failure may affect the water supply or interfere with suppliers’ operations. 22 When developing scenarios, one should be careful to view The example of risk analysis in Annex V uses a five-step classification each scenario in isolation, such as scenario 1: Failure of exter- for the probability of possible scenarios. 23 nal power supply, scenario 2: Failure of external water sup- The example of risk analysis in Annex V uses a six-step scale of ply. Otherwise, the risk analysis will be based on a few very vulnerability (including 0 for not relevant). 24 complex scenarios with too many impacts to keep track of. In the example of risk analysis in the Annex, this criterion is used as a weighting factor. It is calculated as an individual factor in the risk But marginal effects arising from dependencies should be identification process. Estimates of the remaining vulnerability crite- incorporated into the scenarios. This applies in particular to ria are added together and therefore treated as a collective factor in effects which magnify the impacts. the risk identification process. 19
  20. 20. Dependence on internal infrastructures: Risk calculation If a risk element depends on an internal infrastructure in Within the risk analysis, calculated values, estimates or order to perform its tasks, the potential unavailability of results of the scenarios and vulnerability analysis are linked this infrastructure makes the risk element vulnerable. to risk values or results. Risk values are linked by means of a function. In this guide, sub-risks to risk elements are under- Robustness: stood as a function of the probability that the scenario in The physical robustness of risk elements (in particular question will occur and of the vulnerability of the risk ele- facilities, equipment, buildings) is an important factor for ment. The overall risk to a sub-process is then the aggregate whether they will be damaged by an extreme incident, of sub-risks to the risk elements in the sub-process. with effects for the relevant sub-processes. In principle, risks can be calculated in three different ways: 25 Actual level of protection: A risk element not sufficiently protected against a threat Qualitative risk calculation: This method delivers rough is vulnerable should this threat arise (example: (non-)exis- estimates of described risks in text form, without produc- tent building security measures). ing numerical comparability. Redundancy, substitutes: Semi-quantitative risk calculation: This method uses a If something should happen to a risk element in an organi- classification system to estimate values for individual risk zation, it is easier to handle the situation if there are back- factors so that they can be compared in numerical form. ups or substitutes to perform the same tasks. Redundancy of risk elements or substitutes reduce the vulnerability of Quantitative risk calculation: This method calculates risk the sub-process in question. factors mathematically, for example by using time-series analyses in the case of probability of occurrence, or by Restoration effort: using simulation models to identify the impacts on an Restoration effort refers to the effort needed to restore a organization. damaged risk element. With regard to the vulnerability of a sub-process, this covers not only monetary costs, but also The choice of method depends on how much effort can and the time and staff resources needed. should be expended, and on what information is available.26 Adaptability: Comparing and evaluating risks A sub-process is vulnerable if its risk elements cannot The risk values or described risks calculated in this way can adapt easily or at all to changing framework conditions now be compared with each other. Such comparison is espe- (example: in the case of hot weather leading the tem- cially useful in the case of qualitative and semi-quantitative perature of river water to rise, this could be water-cooled analyses, because the resulting values and descriptions are equipment). not absolute quantities. But the results of qualitative and semi-quantitative analyses can be very valuable in relation to Buffer capacity: each other, i.e. in internal comparison. Buffer capacity means that the sub-process can tolerate the effects of an incident to a certain degree and for a cer- The aim of such comparison is to identify those risk elements tain time without being affected. and sub-processes which face the highest risks. Transparency: Transparency means that it is easy to understand how a risk element is put together and how it functions, so that it can be repaired quickly in case of crisis, for example. Dependence on specific environmental conditions: Organizations perform under the environmental condi- tions prevailing at their location. If the organization 25 depends on specific environmental conditions, then it is Cf. Australian/New Zealand Standard 2004, pp. 18–19. 26 vulnerable to potential changes in these conditions. Annex V gives an example describing how to carry out a risk analysis using semi-quantitative calculation of sub-risks to risk elements and of overall risks to sub-processes. For another method of risk analysis specifically for the field of information technology, see: Bundesamt für Sicherheit in der Informationstechnik (BSI) 2005. 20
  21. 21. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES The risk evaluation should indicate whether the protection 3.3.1 Risk reduction aims initially defined can be achieved given the existing risks. If there are too many high sub-risks, operational protection Risk-reduction measures reduce either the vulnerability aims should be formulated to serve as the starting point for of risk elements to threats or directly address the business taking preventive measures. Examples of operational protec- continuity of critical processes by creating redundancies or tion aims are substitutes. Redundant systems or substitutes enable critical processes to continue operating under recovery manage- reducing the overall risk to sub-process X, and ment even if risk elements have been affected. 28 reducing the highest sub-risks for all sub-processes which are part of critical processes. 3.3.2 Risk avoidance The highest priority should be to take measures for the sub- processes displaying the greatest sub-risks. Risks can be avoided, either by avoiding regions where threats exist or by taking measures to ensure that threats It is ultimately the task of the organization’s decision-makers do not arise. to choose the appropriate operational protection aims and measures. It is often possible to identify areas exposed to natural threats or high-risk facilities (e. g. transport routes for hazardous cargo). Such areas can be avoided when planning new sites or 3.3 Phase 3: the construction of new buildings or facilities. Preventive measures and strategies However, it is impossible to avoid all risks, as no location is Preventive measures help reduce risks to critical processes. entirely risk-free. They help achieve operational protection aims and thus raise the threshold for potential crises in the organization (see also Figure 5). This can reduce the number and/or intensity of cri- sis incidents. Preventive measures should be subject to a cost-benefit analy- Figure 5: Incident intensity and crisis threshold sis aimed at reducing the overall risk. This is done by compar- ing potential expenditures and the direct and indirect costs resulting to the organization from an extreme incident. Com- bining the results of a risk analysis with those of a cost-benefit analysis leads to the selection of measures which are especial- ly efficient within the framework of the existing budget.27 However, measures to reduce risks that are unlikely to occur but would have dramatic impacts if they did are often impos- sible to justify on the basis of risk and cost-benefit analysis alone. In such cases, it may help to consider societal and ethi- cal aspects as well as the legal framework conditions when deciding on protective measures. Preventive strategies take advantage of the tools of risk avoid- ance, risk shifting and risk acceptance. They should only be used in tandem with risk-reduction measures, because they may severely limit the organization's flexibility (risk avoid- ance), or they may not help reduce physical risks (risk shift- ing, risk acceptance). 27 Cf. Australian/New Zealand Standard 2004, pp. 21–22. 28 Annex IV.1 contains an extensive checklist for implementing preventive measures. 21
  22. 22. 3.3.3 Risk shifting 3.4 Phase 4: Crisis management Risk shifting transfers risks to other enterprises or contract In this guide, a crisis is defined as a deviation from the normal partners in order to reduce the financial impact on one's own situation which cannot be handled using normal operating organization in case of damage. Risk-shifting instruments procedures. Crises in critical infrastructure organizations can include the following: have serious consequences for the functioning of enterprises and government authorities and thus result in harm to the shifting risk to insurers, and public or to disruption of the political, social or economic sys- shifting risk to suppliers or clients. tem. The Trading (Control and Transparency) Act (KonTraG) uses the term “threat to existence”, which is very useful for defining crises.30 A crisis should be clearly distinguished from less serious incidents, referred to in this guide as disruptions IMPORTANT NOTE: (see Figure 5, page 21). Shifting risk does not reduce physical risks to persons or goods. It only affects the financial consequences to the Crises may originate within the organization itself, for exam- organization of any damage sustained. ple financial crises as the result of mismanagement or fraud (see Figure 6). External triggers for crises include stock market crashes, negative media coverage or supply difficulties. Other major triggers for crises in critical infrastructures include natural disasters, technical failure, human error, wilful acts of 3.3.4 Acceptance of risks (residual risks) a terrorist or criminal nature, and armed conflicts. Preventive measures and strategies pursued by the organiza- Crisis management plays a major role in protecting organiza- tion raise the overall security level. Yet certain risks cannot tions and thus critical infrastructures and the public. Crisis be overcome entirely. The remaining residual risks should management cannot be separated from risk management. be documented and the organization’s willingness to accept Conceptual, organizational, procedural and physical prepara- them should be recorded in writing. tion for crises is based in part on the results of risk manage- ment. The nature and extent of residual risks identified by risk Residual risks can lead to crises which typically overwhelm management can, in some cases, influence the type of prepa- normal operations. A system of crisis management is needed ration carried out as part of crisis management. Because risk- to enable the organization to deal with such situations effec- reduction measures cannot reduce all risks and some residual tively. risk always remains, crisis management deals with crises that prevention alone cannot avert. 3.3.5 Property insurers’ experience with damages The aim of crisis management for critical infrastructure organizations is to deal with a crisis while Property insurers naturally have a special interest in protect- ing against property damage and in reducing the impact of maintaining the greatest possible ability to function, damage incidents on business continuity. and/or recovering critical functions as quickly as possible. Conclusions drawn from various damage incidents are col- lected in numerous publications (manuals, guidelines and fact sheets) of the German Insurance Association (GDV).29 These can serve as additional information sources to optimize the protection of individual organizations and facilities, thereby helping to protect critical infrastructures. 29 Cf. VdS-Richtlinien 2007, for example. 30 Cf. Trauboth 2002, p. 14 f. 22
  23. 23. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES Figure 6: Internal and external crisis triggers Successful crisis management is embedded within other The most important tasks of crisis management are: management strategies, such as risk management described above. Crisis management involves preparing and activating creating the conceptual, organizational and procedural measures to keep the organization functioning and to ensure conditions needed to deal with an extreme incident as business continuity and a return to normal operations. Evalu- effectively as possible, and ating the crisis management system during and after an inci- dent makes it possible to improve and refine the system. Crisis establishing special structures to respond in case of crisis, management can thus be understood as a PDCA cycle within in particular setting up a crisis task force. risk management. The crisis management process is shown in Figure 7. Figure 7: The crisis management process31 31 Annex IV.2 contains detailed checklists to help prepare for crises. 23
  24. 24. The most important features of crisis management are the A crisis management plan covers the following points and 33 following: indicates who is responsible for them : Crisis management is a process which includes planning, Purpose, aim and scope of the crisis management plan implementation and evaluating a plan and the resulting action in order to respond effectively and efficiently to a Legal foundations crisis. Development of a special crisis organization As a rule, measures are taken using the limited resources • crisis task force and information available. • definition of tasks, areas of responsibility and compe- tences, including the job titles responsible34 External support or resources may be needed. • specific crisis management responsibilities and activities Decisions have to be made quickly and on the basis of Development of special procedures to deal with crises, incomplete information. return to normal operations and post-crisis follow-up • chain of command and alert • models of escalation and de-escalation 3.4.1 The structure of crisis management • contact information for contacts within and outside the organization The basic elements of crisis management are a special struc- • incident-specific measures for recovery and return to ture to take action in case of crisis and scenario-based plans normal operations to ensure business continuity. All preliminary planning • information on post-crisis follow-up necessary and possible for this purpose is compiled in a crisis management plan. Development of scenario-based plan components, for example The crisis management plan • evacuation The crisis management plan lists all crisis-relevant structures • power failure and planned measures to be carried out by organization staff • pandemic responsible for crisis management and business continuity. • IT and/or CT failure A good crisis management plan is short and precise. Crisis checklists32 make it easier to ensure that all the necessary The crisis management plan must be updated and practice measures are carried out and no important tasks are forgotten. drills conducted regularly. IMPORTANT NOTE: A crisis management plan should always be drawn up, even if many preventive measures have already been implemented. 33 For an example of a crisis management plan or emergency handbook in the IT field, see: Bundesamt für Sicherheit in der Informationstechnik (BSI) 2008. 32 34 Annex IV.2 contains detailed checklists to help prepare for crises. Jungbluth 2005, p. 15. 24
  25. 25. RISK AND CRISIS MANAGEMENT TO PROTECT CRITICAL INFRASTRUCTURES Special crisis structures This model originated in a military context; it describes the Crisis situations require special structures. A crisis task force form and functions of a command staff and is directed at has the goal of dealing with crises as quickly and competently all organizations whose activities are primarily operational- as possible. The structure of the crisis task force depends on tactical. the type and needs of the critical infrastructure organization. In the field of disaster preparedness on public administration Crisis task force level, a management task force acts alongside the opera- The crisis task force is the central instrument of crisis response. tional-tactical command staff to handle administrative and It is a special structure that overrides the normal operating organizational tasks. The management task force supports procedures in order to deal with special situations in the affect- the operational-tactical components and carries out primari- ed units; in it, competences from different departments are ly administrative tasks. In case of crisis, the management task brought together under a single leadership. A crisis task force force may also act on its own if no operational components is a decision-making tool which also performs coordinating, are deployed. informing, advising and support functions. The crisis task force is made up of a leader35 and the task force team. Within the cri- The form and functions of a task force in private enterprises sis task force team, one may distinguish between and government authorities outside the field of threat pre- vention and disaster preparedness depend on the organiza- the core team, made up of the leader and up to three team tion’s needs in the event of a crisis. In some enterprises, it members with key functions, may make sense to organize the task force along the lines of a the extended team, made up of persons with designated command staff or management task force, for example if the special functions or supporting groups,36 and enterprise performs similar tasks or when close collaboration specialists to advise the task force. with disaster preparedness staff is needed. Other enterprises and government authorities may choose other ways to struc- 39 All appointed and trained task force members and their ture their task forces. The important thing is to ensure that deputies must be familiar with their specific tasks and ready the critical infrastructure operator is able to communicate to carry them out. When choosing deputies, it is also impor- with the threat prevention authority/disaster preparedness tant to remember those scenarios in which high rates of organizations. Here, an intensive staff exchange between task absenteeism may affect the task force (e. g. major epidemics forces is helpful and should be an explicit requirement for or pandemics).37 In order to deal with such situations, several management task forces. deputies should be designated. The following functions/tasks should be covered by every task Before a crisis occurs, special work-time arrangements (shift force, no matter what the organization’s tasks are40: system) should be made specifically for the task force in case of crisis; these should also include some overlapping time in managing all personnel-related aspects, which the earlier shift can update the shift coming on duty of gathering and regularly updating information on the latest developments. Crises are periods of high stress, so the situation, shifts should not exceed six to seven hours. delegating tasks to resolve the crisis and coordinating the necessary operations carried out by organization staff, A model for crisis task forces has been established in the field handling media and public relations, of threat prevention and disaster preparedness; this model is managing all aspects of information and communica- described in detail in the Fire Brigade Regulation 100.38 tions, and providing for the needs of crisis management staff. 35 The crisis task force may be headed by the same person who heads the enterprise or government agency. However, this is not advisable, as having different people for these tasks gives the decision-making level more leeway to make important and independent decisions. 36 Cf. Trauboth 2002, p. 45. 37 Measures to protect staff, in particular the crisis task force include ensuring adequate hygiene, providing protective masks and set- 39 ting up the capacity to work from home. For more information, see One possible alternative for IT-related organizations is described in Bundesamt für Bevölkerungsschutz und Katastrophenhilfe 2007, BSI-Standard 100-4. See Federal Office for Security in Information Robert Koch Institut 2005 and 2007a and Annex IV.2. Technology (BSI) 2008. 38 40 Feuerwehr-Dienstvorschrift 1999. Revised in line with Feuerwehr-Dienstvorschrift 1999. 25